WordPress OptimizePress Theme – File Upload Vulnerability

We’re a few days short on this, but it’s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold.

The folks at OSIRT were the first to report this in late November, 2013. In our cases we’re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner.

This is an important announcement for OptimizePress 1.0 users. (Please note this does NOT apply to OptimizePress 2.0 which is built with a completely new codebase)

Back in April 2013 we discovered a potential security flaw in part of the code for OptimizePress 1.0. Our developers quickly patched this issue and we released an update to the platform. We also announced this to our customers via email, although it appears now that many of our users may not have received this email. – OptimizePress Team (Read Full)

The Vulnerability

The target of the attack is the following file: lib/admin/media-upload.php. It can be used to upload any file to the wp-content/uploads/optpress/images_comingsoon directory. It doesn’t even change the extension.

Vulnerable versions of this file provide the upload functionality to anyone, while newer patched versions check for the admin permissions first. It is easy to tell one from the other.

lib/admin/media-upload-lncthumb.php and lib/admin/media-upload-sq_button.php

Be mindful that the premium themes seem to use the same code across various files, this means you need to scrub the various files to ensure that you’re not leaving other files unpatched. Last thing you want is to patch one and leave another two vulnerable.

They upload here:

wp-content/uploads/optpress/images_lncthumbs and wp-content/uploads/optpress/images_optbuttons

The same current_user_can(“add_user”) patch exists in newer versions.

Working with OptimizePress powered sites

This theme is quite popular, especially within blogs that sell/promote stuff. Many of them still use the older version of OptimizePress – partly because such sites don’t have very good administrators, and partly because the upgrade to newer versions is not free, and the theme can be pricey to some.

So if you find OptimizePress on server, please check your installation.

Look for the following files:

lib/admin/media-upload.php,

lib/admin/media-upload-lncthumb.php,

lib/admin/media-upload-sq_button.php

If they don’t have the current_user_can(“add_user”) patch, then add the following code right after the first line include “../../../../../wp-config.php”;.